August 2, 2021

Volume XI, Number 214


July 30, 2021

Subscribe to Latest Legal News and Analysis

AG Becerra Announces Approval of Additional CCPA Regulations

Here we go again! On March 15th, 2021, the California Department of Justice (“Department”) announced approval of modifications to the California Consumer Privacy Act’s (CCPA) regulations, originally introduced in December of 2020.  The new regulations mainly modify provisions related to a consumer’s right to opt out of sale of their personal information, with the aim of “protecting consumers from unlawful business practices that may be deceptive or misleading”.  The changes to the regulations are effective immediately.

“California is at the cutting edge of online privacy protection, and this newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the California Consumer Privacy Act,” said Attorney General Becerra in the press release announcing the latest modifications to the CCPA regulations. “These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights.”

Right to Opt-Out Modifications

  • Ban on Dark Patterns that Delay or Obscure Opt-Outs. The newly approved regulations prohibit what AG Becerra references as “dark patterns” that cause ambiguity in the process of a consumer’s opting out of sale of their personal information. The regulations provide five examples of prohibitive measures related to opt-out methods including developing confusing language such as “double negatives” or unnecessary steps such as requiring consumers to click through multiple screens before opting out. A business’s methods for submitting requests to opt-out must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out.

  • Offline Opt-Out Methods. A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. For example, a brick-and-mortar store may inform consumers via paper forms or by posting signage in the area where personal information is collected and directing consumers to where opt-out information can be found online.

  • Privacy Icon. In addition, the latest regulations also provide covered businesses with an optional privacy options icon, which can be used in addition to posting the notice of right to opt out, but not in lieu of any related requirements. The icon should be the approximately the same size as any other icon used by the business on its webpage. The icon was developed by Carnegie Mellon University’s Cylab jointly with the University of Michigan’s School of Information by testing the icon against other icons to determine the most effective design for communicating to the consumer its right to opt out. The icon is available for download here.

Authorized Agent.

The latest regulations also address the use of an authorized agent. When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Previously, this requirement was placed on the consumer.

That said, a business may still require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.


 AG Becerra’s press release reminds companies that enforcement of the law is alive and well, but that the Department has been pleased to see widespread compliance by companies doing business in California, particularly in response to “notice to cure”, which provides companies a 30-day window to remedy their noncompliance.  Companies should continue to monitor CCPA developments and ensure their privacy programs and procedures remain aligned with current compliance requirements.

Jackson Lewis P.C. © 2021National Law Review, Volume XI, Number 75

About this Author


Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.